Characterization and Derivation of Heard-Of Predicates for Asynchronous Message-Passing Models

In distributed computing, multiple processes interact to solve a problem together. The main model of interaction is the message-passing model, where processes communicate by exchanging messages. Nevertheless, there are several models varying along important dimensions: degree of synchrony, kinds of faults, number of faults... This variety is compounded by the lack of a general formalism in which to abstract these models. One way to bring order is to constrain these models to communicate in rounds. This is the setting of the Heard-Of model, which captures many models through predicates on the messages sent in a round and received on time. Yet, it is not easy to define the predicate that captures a given operational model. The question is even harder for the asynchronous case, as unbounded message delay means the implementation of rounds must depend on details of the model. This paper shows that characterising asynchronous models by heard-of predicates is indeed meaningful. This characterization relies on delivered predicates, an intermediate abstraction between the informal operational model and the heard-of predicates. Our approach splits the problem into two steps: first extract the delivered model capturing the informal model, and then characterize the heard-of predicates that are generated by this delivered model. For the first part, we provide examples of delivered predicates, and an approach to derive more. It uses the intuition that complex models are a composition of simpler models. We define operations like union, succession or repetition that make it easier to derive complex delivered predicates from simple ones while retaining expressivity. For the second part, we formalize and study strategies for when to change rounds. Intuitively, the characterizing predicate of a model is the one generated by a strategy that waits for as much messages as possible, without blocking forever.

1. Introduction 1.1. Motivation. Distributed computing studies how multiple processes can accomplish computational tasks by interacting with each other. Various means of communication are traditionally studied; we focus here on message-passing, where processes exchange messages. Yet, message-passing models still abound: they might have various degrees of synchrony (how much processes can drift of from each other in term of processing speed or communication), different kinds of faults (processes crashing, processes crashing and restarting, message loss, Figure 1: From Classical Model to Heard-Of Predicate capture nothing specific about the model -for example the rule that always allows to change rounds. Conversely, rules that are tailored to a specific model, like waiting for n messages, might block processes in other models (where there might be less than n messages received at a round). Finding a corresponding heard-of predicate for an asynchronous model thus requires a model-specific analysis, as well as some way to choose among the possible rules. This paper proposes a formalisation of this question, as well as an approach for answering it for concrete message-passing models.
1.2. Overview. As mentioned above, abstracting message-passing models under one formalism would significantly help with comparing results across models and formally verifying them. The Heard-Of model provides such an abstraction, but only if we can define and compute a corresponding heard-of predicate for asynchronous message-passing models, which is the hardest case due to lack of an upper bound on communication delay. We compute this heard-of predicate in two steps, as shown in Figure 1. We start with the operational model, derive a "delivered predicate", and then find the heard-of predicates that can be implemented by some rule for changing rounds (called a strategy) for this specific delivered predicate. Among such predicates, we propose a criterion to choose the one characterizing the asynchronous message-passing model.
The first step goes from the original asynchronous message-passing model to a delivered predicate, an abstraction that we introduce. A delivered predicate captures the messages that are eventually delivered from each round r, without considering the round of delivery. This is to contrast with heard-of collections, that only capture messages tagged by r if delivered at the receiver when its local round counter is ≤ r. A delivered predicate makes the original model formal in the form of a delivered predicate, but it avoids dealing with the main issue for getting a heard-of predicate: asynchrony. Because the round of delivery is not considered in a delivered predicate, computing the corresponding one for our original model does not require a strategy for when to change rounds. Intuitively, the delivered predicate of a model is the heard-of predicate of the same model if it was synchronous, which are relatively straightforward to define and compute.
The second step goes from the delivered predicate to the heard-of predicate corresponding to the original model. To do so, we define strategies: rules that tell when processes can change rounds. The main constraint on such strategies is to never block a process at a round forever. As mentioned above, the difficulty here comes from the fact that there are in general many different strategies for implementing rounds that don't block forever. Which of these should be the corresponding heard-of predicate? Our answer relies on the following intuition: the predicate precisely capturing the asynchronous model is the predicate satisfied by the fewer heard-of collections, among the set of predicates that can be implemented on top of the original model. Formally, this translates to being included in every other heard-of predicate that can be implemented (considering predicates as sets in the standard way). Such a predicate, if it exists, intuitively constrains communication the most, by allowing fewer possibilities for which messages are heard by who at which round. This choice stems from the relevance of uncertainty for distributed computability. A distributed algorithm has to give the correct answer independently of the specific scheduling, the specific failures, and every other source of uncertainty and non-determinism specified by the model. This means that if everything that could happen according to model M 1 could also happen according to model M 2 , then every correct algorithm for M 2 is also correct for M 1 . In the Heard-Of model, this means that for two heard-of predicates HO 1 and HO 2 such that HO 1 ⊆ HO 2 , then every correct algorithm for HO 2 is also correct on HO 1 .
With this formalization in hand, what is left is a way to compute the resulting predicate and prove that it is indeed the strongest. This problem becomes tractable by introducing operations on predicates (delivered and heard-of) and strategies. Operations capture the intuition that it's often easier to build complex models by composing simple ones together.
Hence if the original model can be framed as such a composition, its delivered predicate can similarly be constructed from the delivered predicates of the building blocks, thanks to the operations we define. For some families of strategies (strategies that only depend on some limited part of the local state of a process, here the messages of the current round or the messages of past and current rounds respectively), the strategy that implements the heard-of predicate corresponding to the full model can be built from the strategies of the building blocks using analogous operations on strategies that we define. Then the heard-of predicate of this built strategy is linked with the composition of the heard-of predicates implemented by the building block strategies.

1.3.
Contributions. The contributions of this article are the following: • The definition of delivered predicates and strategies, in Section 3.
• Operations on delivered predicates and strategies, to build complex predicates, in Section 4.
• The formalization of the derivation of heard-of predicates from a delivered predicate and a strategy, in Section 5. This comes with a complete example: the asynchronous message-passing model with reliable communication and at most F permanent crashes. • The study of oblivious strategies, the strategies only looking at messages for the current round, in Section 6. We provide a technique to extract a strategy dominating the oblivious strategies of the complex predicate from the strategies of its building blocks; exact computations of the generated heard-of predicates; and a sufficient condition on the building blocks for the result of the operations to be dominated by an oblivious strategy. • The study of conservative strategies, the strategies looking at all messages from previous and current round, as well as the round number, in Section 7. We provide a technique to extract a strategy dominating the conservative strategies of the complex predicate from the strategies of its building blocks; upper bounds on the generated heard-of predicates; and a sufficient condition on the building blocks for the result of the operations to be dominated by a conservative strategy. • A preliminary exploration of strategies using messages from future rounds, and an extended example where these strategies build stronger heard-of predicates than oblivious and conservative strategies, in Section 8.

The Heard-Of Model
In the Heard-Of model of Charron-Bost and Schiper [7], algorithms are defined by rounds, and an execution is an infinite sequence of rounds. At each round, a process broadcasts, receives, and does a local computation. The Heard-Of model ensures communication-closedness [10]: in an algorithm, processes at a given round only interact with processes at the same round -they only consider messages from this round. In the Heard-Of model, executions are necessarily infinite, and processes change rounds infinitely. Nevertheless, this does not prevent an algorithm from terminating, and, for instance to achieve consensus or election: the system reaches a configuration where the local state of each process does not change anymore.
The Heard-Of model constrains communication through heard-of predicates, which are themselves predicates on heard-of collections. These predicates play the role of assumptions about synchrony, faults, network topology, and more. Usually, heard-of collections are represented as functions from a round r and a process p to a set of processes -the processes from which p heard the message sent at round r before or during its own round r.
Definition 2.1 (Heard-Of Collection and Predicate). Let Π a set of processes. A heard-of collection is an element h of (N * × Π) → P(Π). The heard-of sets of a heard-of collection are the outputs of this collection. A heard-of predicate HO for Π is a set of heard-of collections, that is an element of P((N * × Π) → P(Π)).
From another perspective, heard-of collections are infinite sequences of communication graphs -directed graphs which capture who hears from whom on time, in that q ∈ h(r, p) ⇐⇒ (q, p) is an edge of the r-th communication graph. Definition 2.2 (Collection as a Sequence of Directed Graphs). Let Graphs Π be the set of directed graphs whose nodes are the elements of Π. Then gr ∈ (Graphs Π ) ω is a heard-of collection. A function h and a sequence gr represent the same collection when ∀r > 0, ∀p ∈ Π : h(r, p) = In gr[r] (p), where In(p) is the set of incoming neighbors of p.
In general, which perspective to use in a theorem or a proof naturally follows from the context. For example, h[r] makes sense for a sequence of directed graphs, while h(r, p) makes sense for a function.

Delivered Predicates: Rounds Without Timing
Our concern is asynchronous message-passing models. What makes the synchronous case easier than the asynchronous case boils down to the equivalence between the messages that are received at all, and those that are received on time. This cannot be replicated in the asynchronous case, as each asynchronous model requires a different rule for which messages to wait for before changing round. For example, in an asynchronous model with at most F crashes, a process can wait for n − F messages before changing round without risking waiting forever, as at least n − F processes will never crash. In the asynchronous model with at most F + 1 crashes, doing so will get processes blocked in some cases. Nevertheless, it might be impossible to wait for all the messages that will be delivered and not block forever. As explained before, in an asynchronous model with at most F crashes, process wait for n − F messages before changing round. If less than F processes crash, not all the messages will be waited for: a process may change round as soon as it has received n − F messages, and some messages will be received too late and therefore be ignored. 3.1. Delivered Predicates. Delivered sets are introduced to distinguish between the set of all delivered messages (on time or late) and the messages delivered before changing round (a heard-of set). A delivered collection is a sequence of delivered sets, and a delivered predicate is a predicate on delivered collections that defines which messages are received, ignoring changes of rounds. Observe that a delivered predicate has the same formal definition as Definition 2.1 of heard-of predicates -only the interpretation changes -, and the graph-based notation similarly applies.
Definition 3.1 (Delivered Collection and Predicate). Let Π a set of processes. A delivered collection is an element c of (N * × Π) → P(Π). The delivered sets of a delivered collection are the outputs of this collection. A delivered predicate DEL for Π is a set of delivered collections, that is an element of P((N * × Π) → P(Π)).
For examining the difference between heard-of and delivered collections, recall that we're considering the Heard-Of model at a system level: we're implementing it. Let's take an execution of some implementation (which needs to satisfy some constraints, defined later in Section 5.1): a linear order of emissions, receptions and changes of rounds (a step where the local round counter is incremented) for each process. Then if each process changes round infinitely often, there's a delivered collection d and a heard-of collection h corresponding to this execution -just look at which messages sent to j tagged with round r where received at all by j (for d), and which were received when the round counter at j was ≤ r (for h). That is, for a round r > 0 and processes k, j ∈ Π, k ∈ d(r, j) means that j received at some point the message of k annotated by r. On the other hand, k ∈ h(r, j) means that j received the message of k annotated by r while its round counter was ≤ r. Hence the heard-of collection extracted from this execution captures which messages were waited for (and thus could be used at the algorithm level -that's not treated here), whereas the delivered collection extracted from this execution captures which messages were received at all. For example, the following scenario: To find the delivered predicate corresponding to an asynchronous model, the intuition is to take the synchronous version of the model, and then take the heard-of predicate that would be implemented by the rule for changing rounds in synchronous models. This is the delivered predicate for the model. This captures the strongest heard-of predicate that could be implemented on top of this asynchronous model, if processes could wait for all messages that will be delivered. In general, they can't, since it requires knowing exactly what's happening over the whole distributed system. Nonetheless, the delivered predicate exists, and it plays the role of an ideal to strive for. The characterizing heard-of predicate of a model will be the closest overapproximation of the delivered predicate that can actually be implemented.

A Delivered
where K c (r) is the kernel of c at r: K c (r) p∈Π c(r, p), and card is the cardinality function.
Charron-Bost and Schiper [7, Table 1] define it as the heard-of predicate of the synchronous version of this model. We now give an argument for why, if you take the asynchronous model with reliable communication and at most F permanent crashes, and implement communication-closed rounds in any way that ensures an infinite number of rounds for every process, the messages received will form a delivered collection of DEL crash F . In the other direction, every collection of DEL crash F captures the messages received in an execution of the implementation of rounds on top of the aforementioned asynchronous model. • Let t be an execution of an implementation of communication-closed rounds on top of the asynchronous model above, with the condition of ensuring an infinite number of rounds. We consider that a crashed process is modelled as a silent process: a crashed process will still receive all messages after it crashes, but will never do anything else after it crashed. This is observationally indistinguishable for the other processes. Since every process that has not crashed broadcasts, this entails that every process will eventually hear the message from every non-crashed process at this round. Since there's at most F crashes, that's at least n − F messages per round. Hence card(c(r, j)) ≥ n − F for every process j and round r. Also, if p hears from k at round r + 1, then k sent the message before crashing. This means k did not crash at its own round r, and thus that the message it broadcast at that round r was sent, and eventually received by all processes. Hence c(r + 1, j) ⊆ K c (r).
This collection corresponds to the execution where the crashed processes are the ones that stop broadcasting. Because communication is reliable, k / ∈ c(r, p) means that k never sent its message to p tagged with r. From the model this means that it crashed during its broadcast at round r or earlier. Each crash thus happens at the first round where the crashed process is not heard by everyone, after sending the messages that are actually received at this round. Later in this article, the heard-of predicate characterizing this delivered predicate (the most constrained one) is derived. We mention it here, as a comparison [7]: The difference lies in the kernel condition: DEL crash F ensures that if any message sent by p at round r is not eventually delivered, then no message will be delivered from p at rounds > r. Intuitively, p not broadcasting means that it crashed during round r or earlier, and that it will never send messages for the next rounds. However, this is not maintained by HO F , as the n − F messages that are waited for are not necessarily the same for each process. So k might wait for a message from p at round r, but j might receive at least n − F messages at This one is not from Charron-Bost and Schiper [7], but we can apply the same reasoning as for the previous delivered predicate. Here the sum counts the number of messages that are never delivered. Since all the processes are correct, this corresponds to the number of lost messages. For L = 1, the best known strategy (to our knowledge) implements the heard-of predicate {h, a heard-of collection | ∀r > 0, p∈Π card(Π \ ho(r, p)) ≤ 1}.
What is lost in implementing a heard-of predicate on top of the delivered predicate DEL loss 1 is that instead of losing only one message over the whole execution, there might be one loss per round. This is explained in Section 8.

Composing Delivered Predicates
Finding the delivered predicate for a complex model is difficult. However, simple models are relatively easy to characterize by a delivered predicate. This motivates the following proposal to solve the plain part of Figure 2: composing simple delivered predicates to derive complex delivered predicates. That way, there will be no need to define by hand the delivered predicates of complex models. 4.1. Introductory Example. Consider a system where one process might crash and may or may not recover later on 1 . In some sense, this behavior is defined by having the delivered collections for one possible crash that never recovers, and the delivered collections for one possible crash that must recover. This amounts to a union (or a disjunction); we write it DEL canrecover 1 DEL crash 1 ∪ DEL recover 1 . The first predicate of this union is DEL crash 1 , the 1 If it does, we can assume that its memory is intact and no messages received in the meantime are lost, but that's not important for the system level implementation. . Intuitively, a process that can crash but must recover afterward is described by the behavior of DEL crash 1 which is shifted to the behavior of DEL total (the predicate where all the messages are delivered) after some time. We call this the succession of these predicates, and write it DEL recover 1 DEL crash 1 DEL total . Finally, imagine adding to this system another permanent crash. The full behavior is such that there might be one crashed process as constrained by DEL crash 1 , and another crashed process as constrained by DEL canrecover 1 . We call it the combination (or conjunction) of these predicates, and write it DEL crash 1 DEL canrecover 1 .
The complete system is thus described by DEL crash In the following, we also introduce an operator ω to express repetition. For example, a system where, repeatedly, a process can crash and recover is (DEL crash 1 DEL total ) ω .

4.2.
Operations on predicates. Let's now formally define these operations.
Definition 4.1 (Operations on predicates). Let P 1 , P 2 be two delivered or heard-of predicates.
• The union of P 1 and P 2 is The intuition behind these operations is the following: • The union of two delivered predicates is equivalent to an OR on the two communication behaviors. For example, the union of the delivered predicate for one crash at round r and of the one for one crash at round r + 1 gives a predicate where there is either a crash at round r or a crash at round r + 1. • The combination of two behaviors takes every pair of collections, one from each predicate, and computes the intersection of the graphs at each round. Meaning, it adds the loss of messages from both, to get both behaviors at once. For example, the combination of the delivered predicate for one crash at round r and of the one for one crash at round r + 1 gives a predicate where there is a crash at round r and a crash at round r + 1. Observe that combining DEL crash 1 with itself gives DEL crash 2 , the predicate with at most two crashes. • For succession, the system starts with one behavior, then switches to another. The definition is such that if r = 0, then no prefix of c 1 is used (the first behavior never happens), but the second one must always happen. For example, the succession of DEL crash 1 (one possible crash) with DEL total (no crash) is a possible crash that recovers. • Repetition is the next logical step after succession: instead of following one behavior with another, the same behavior is repeated again and again. For example, taking the repetition of at most one crash results in a potential infinite number of crash-and-restart, with the constraint of having at most one crashed process at any time.
In these predicates, before round r, every process receives every message. At round r a crash might happen, which means that processes only receive messages from a subset Σ of Π of size card(Π) − 1 from round r + 1 onwards. The subtlety at round r is that the crashed process (the only one in Π \ Σ) might crash while sending messages, and thus might send messages to some processes and not others.
Another fundamental predicate is the total one: the predicate containing a single collection c total , the one where every process receives every message at every round. Using these building blocks, many interesting and important delivered predicates can be built, as shown in Table 1. For example, let's take DEL crash 1 , the predicate with at most one crash. If a crash happens, it happens at one specific round r. DEL crash 1 is a disjunction for all values of r of the predicate with at most one crash at round r; that is, the union of DEL crash 1,r for all r.

From Delivered Predicates to Heard-Of Predicates
After defining delivered predicates and discussing how to find and/or build them, the next step is to study the heard-of predicates that can be implemented over a given delivered predicate. This is the plain part of Figure 3, which works between two mathematical abstractions, and is formal. To do so, we start by defining executions on the delivered predicate: traces of the system's behavior that can be analysed. Next, we define strategies, which capture the rules for changing rounds, and thus constrain possible executions to those where changes of rounds happen only when allowed by the strategy. If such a strategy never generates an execution where some process is blocked forever at a round, it is called valid, and implements a heard-of predicate (one collection per execution). Finding the heard-of predicate corresponding to a given delivered predicate then boils down to defining a partial order of valid strategies by way of their heard-of predicate, and taking the greatest element.  Executions. The theory of distributed computing relies on the concept of executions: traces of a system's behavior, with enough detail to be formally analysed. Here, as we study the system-level implementation of the Heard-Of model, the executions we consider are not executions of an algorithm solving a distributed computing problem, but the executions of the implementation of a specific heard-of predicate. Hence, these executions only track emissions, receptions and changes of rounds. Because the content of each message is not important for the implementation of rounds, and we care about which messages will be received on time, the emissions are implicit: as long as a process changed round r − 1 times, it sent its messages for round r (which messages will depend on the delivered collection used, as explained in a few paragraphs). As for the local state of each process during this implementation, it contains a local round counter and the set of received messages. The last thing that is missing here is the implementation algorithm: the rule that specifies when to change rounds. This is called a strategy, and is defined below. First, we define executions as sequences of events that satisfy some basic constraints on the ordering of events. We then constrain them by requiring the delivery of exactly the messages from some delivered collection. The introduction of strategies constrains them some more, so that the executions allowed are the executions of an implementation of rounds using this strategy. Executions are infinite sequences of events, either delivery of messages (deliver(r, k, j), which represents the delivery at j of the message from k tagged with r), change to the next round for some process j (next j ), which also includes the broadcast for the next round, or a deadlock (stop). An execution must satisfy three rules: no message is delivered before it is sent, no message is delivered twice, and once there is a stop, the rest of the sequence can only be stop.
Executions can be constrained by a delivered collection c: if k changes round at least r − 1 times in the execution, then it sends all the messages tagged with r to processes j satisfying k ∈ c(r, j), and these messages are delivered in the execution. Moreover, every delivery must be of such a message. The executions of a delivered predicate are the executions of the collections of the predicate.
For a delivered predicate DEL, we write execs(DEL) = c∈DEL execs(c).
Definition 5.1 above casts behavior in term of changes to the system -the deliveries and changes of rounds. A dual perspective interprets behavior as the sequence of successive states of the system. In a distributed system, such states are the product of local states. The local state of a process is the pair of its current round and all the received messages up to this point 2 . Notably, such a local state doesn't contain the identity of the process. This is both because we never need this identity, and because not dealing with it allows an easier comparison of local states, since two distinct processes can have the same local state. A message is represented by a pair round, sender (instead of triplet like in deliver events, because the receiver is implicit -it's the process whose local state we're looking at). For a state q, q(r) is the set of peers from which the process (with state q) has received a message tagged with round r.
For q = r, mes , we write q.round for r, q.mes for mes and ∀r > 0 : q(r ) {k ∈ Π | r , k ∈ q.mes}. 2 Recall that this is the local state of the system-level implementation of rounds, not of the algorithm running on top of the Heard-Of model. Hence, this doesn't constrain the internal structure of the algorithms. Let t be an execution, p ∈ Π and i ∈ N. Then the local state of p in t after the prefix of Notice that such executions do not allow a process to "jump" from say round 5 to round 9 without passing by the rounds in-between. Indeed, the Heard-Of model doesn't let processes decide when to change rounds: processes specify only which messages to send depending on the state, and what is the next state depending on the current state and the received messages. So it makes sense for a system-level implementation of heard-of predicates to do the same. Nevertheless, the algorithm running on top of the Heard-Of model can "jump" rounds, by not doing anything for a certain number of rounds.

Strategies and Composition of
Strategies. An execution of a delivered collection where all processes change round infinitely often defines a heard-of collection. This is done by looking, for each round r and process p, at the set of processes such that p received their message tagged by r when the round counter at p was ≤ r. However, not all of the executions, as defined in 5.2, ensure an infinite number of rounds for each process. For example, for a delivered collection c, the execution where all messages from round 1 are delivered according to c (whatever the order) and then stop transitions happen forever is an execution of c. Yet it blocks all processes at round 1 forever. Strategies are introduced to solve this problem: they constrain executions. A strategy is a set of states from which a process is allowed to change round. It can also be seen as a predicate on local states. It captures rules such as "wait for at least F messages from the current round", or "wait for these specific messages". Again, not all strategies lead to executions with an infinite number of rounds. We then consider valid strategies, which are strategies that ensure the resulting executions always contain an infinite number of rounds for each process.
Strategies as defined above are predicates on states 3 . This makes them incredibly expressive, but this expressivity creates difficulty in reasoning about them. To address this problem, we define families of strategies. Intuitively, strategies in a same family depend on a specific part of the state -for example the messages of the current round. Equality of these parts of the state defines an equivalence relation; the strategies of a family are strategies such that if a state q is in the strategy, then all states in the equivalence class of q are in the strategy. {f, a strategy | ∀q 1 , q 2 ∈ Q : Let's define the executions of a strategy. The intuition is simple: every change of rounds (an event next k for k a process) happens only if the local state of the process is in the strategy. There is a fairness assumption that ensures that if the local state of some process k is eventually continuously in the strategy, then it will eventually change round (have a next k event) 4 . A subtlety hidden in this obvious intuition is that the check for changing round (whether the local state is in the strategy) doesn't necessarily happen at each reception; it can happen at any point. This captures an asynchronous assumption where processes do not decide when they are executed.
Definition 5.6 (Executions of a Strategy). Let f be a strategy and t an execution. Then t is an execution of f if t satisfies: For a delivered predicate DEL, execs f (DEL) {t | t an execution of f ∧ t ∈ execs(DEL)}.
The first property states that processes only change round (the next transition) when their local state is in the strategy. Fairness ensures that the only way for a process p to be blocked at a round r is for p's local state to not be in f an infinite number of times. If the local state of p is outside of f only a finite number of times, the local state of p is eventually always in f , and the execution must contain another next p .
Going back to strategies, not all of them are equally valuable. In general, strategies with executions where processes are blocked forever at some round are less useful (to implement infinite sequences of rounds) than strategies without such executions. The validity of a strategy captures the absence of such an infinite wait.
Let DEL a delivered predicate and f a strategy. Then f is a valid strategy for DEL iff ∀t ∈ execs f (DEL), t is a valid execution.
Finally, analogous to how we can combine complex predicates through operations, we can also compose complex strategies through similar operations: Definition 5.8 (Operations on strategies). Let f 1 , f 2 be two strategies. The following operations are defined: for q 1 and q 2 at the same round r, The intuition behind these operations is analogous to the ones for predicates: • The union of two strategies is equivalent to an OR of the two conditions. For example, the union of waiting for at least n − F messages and waiting for all messages but the ones from p 1 gives a strategy that accepts change of round when more than n − F messages are received or when all messages except the one from p 1 are received. • The combination of two strategies takes all intersections of local states in the first strategy and local states in the second. For example, combining the strategy that waits at least n − 1 messages for the current round with itself will wait for at least n − 2 messages. • For succession, the states accepted are those where messages up to some round correspond to an accepted state of the first strategy, and messages from this round up correspond to an accepted state of the second strategy.

26:16
Adam Shimi, Aurélie Hurault, and Philippe Queinnec Vol. 17:3 • Repetition is the next logical step after succession: instead of following one strategy with another, the same strategy is repeated again and again.

Extracting Heard-Of Collections of Executions.
If an execution is valid, then all processes go through an infinite number of rounds. That is, it captures the execution of a system-level implementation of rounds where no process blocks forever at some round. It thus makes sense to speak of the heard-of collection implemented by this execution: at the end of round r for process p, the messages from round r that were received by p define the heard-of set for r and p.

Definition 5.9 (Heard-Of Collections Generated by Executions and Heard-Of Predicate
Generated by Strategies). Let t be a valid execution. Then the heard-of collection generated by t, h t Let DEL be a delivered predicate, and f be a valid strategy for DEL. Then the heard-of predicate generated by f on DEL As the strategy is valid, this definition is well-founded and the strategy generates a heard-of predicate from the delivered predicate. 5.4. Dominating Predicate. The way to go from a delivered predicate to a heard-of one is to design a valid strategy for the former that generates the latter. With different strategies, different heard-of predicates can be generated. Which one should be considered as the characterization of the delivered predicate (and of the corresponding operational model)? A heard-of predicate generated from a delivered predicate is an over-approximation of the latter. To be able to solve as many problems as possible, as many messages as possible should be received on time. The characterizing heard-of predicate is thus the smallest such overapproximation of the delivered predicate, if it exists. This intuition is formalized by defining a partial order on valid strategies for a delivered predicate, capturing the implication of the generated heard-of predicates (the inclusion when considered as sets). One strategy dominates another if the heard-of collections it generates are also generated by the other. Dominating strategies are then the greatest elements for this order. By definition of domination, all dominating strategies generate the same dominating heard-of predicate, which characterizes the delivered predicate.

Standard and Canonical Executions.
In the following sections, we prove properties about dominating strategies, their invariance by the operations, and the heard-of predicates that they generate. These proofs rely on reasoning by contradiction: assume the theorem or lemma is false, and derive a contradiction. These contradictions take the form of proving that a valid strategy has an invalid execution; constructing specific executions is therefore the main technique in these proofs. This section introduces two patterns for constructing executions: one from a delivered collection and a strategy, the other from a heard-of collection.
To do so, let's fix ord as some function taking a set and returning an ordered sequence of its elements -the specific ordering doesn't matter. This will be used to ensure the uniqueness of the executions, but the order has no impact on the results. 5.5.1. Standard Execution. The standard execution extracts an execution from a delivered collection. It follows a loop around a simple pattern: deliver all the messages that were sent according to the delivered collection, then change round for all the processes which are allowed to do so by f . The intuition is that it's the simplest way to specify an execution where strategies that look only at messages from current and previous rounds (as studied latter) always have all the information available to them. This means that if at one point a first process fails to change round while using such a strategy, it will be blocked at this round for the rest of the standard execution.
, the ordered sequence of next transitions for processes for which the state resulting from the deliveries in dels 1 is in f .
This is the ordered sequence of deliveries of messages from processes that changed round during changes r−1 .
This is the ordered sequence of changes of round for processes such that their state after the deliveries of dels r is in f .
The main property of a standard execution of f on c is that it is both an execution of f and an execution of c.

Canonical Execution.
Whereas the standard execution captures a straightforward way to create an execution from a strategy and a delivered collection, this new construction starts with a heard-of collection, and creates a valid execution generating it from the total delivered collection (the one with all the receptions). The link between the two is that when we want to prove that a valid strategy f implements a heard-of collection ho (useful for showing dominance of strategies), we show by contradiction that the canonical execution of ho is an execution of f . Since the proof by contradiction assumes that one of the next j transitions in the canonical execution is not allowed by f , we can usually find a delivered collection where the messages delivered at this point are the only ones that will ever be delivered to j, and so show that the standard execution of this delivered collection is not valid, which contradicts the validity of f . This canonical execution follows a simple pattern: at each round, deliver all the messages from the heard-of sets of this round, and also all the messages undelivered from the previous round (the ones that were not in the heard-of sets of the previous round). • dels 1 ord({deliver(1, k, j) | k ∈ ho(1, j)}), the ordered sequence of deliveries that happen at round 1 in h.
This canonical execution is an execution of any delivered predicate containing c total , the collection where every message is delivered. Having this collection in a delivered predicate ensures that although faults might happen, they are not forced to do so.
Lemma 5.14 (Canonical Execution is an Execution of Total Collection). Let ho be a heard-of collection. The canonical execution can(ho) of ho is an execution of c total .
Proof. First, can(ho) is an execution by Definition 5.1 since it satisfies the three conditions: • Delivered only once: Every sent message is delivered either during the round it was sent or during the next one, and thus delivered only once. • Delivered after sending: Every message from round r is delivered after either r − 1 or r next p transitions for the sender p, which means at round r or r + 1. Hence the message is delivered after being sent. • Once stopped, forever stopped: No process stops, so the last condition for executions is trivially satisfied. Furthermore, for each process p and round r, all the messages from p at round r are delivered in can(ho), either at round r or at round r + 1. Since the total collection is the collection where every message is delivered by Definition 4.3, this entails that can(ho) is an execution of the total delivered collection by Definition 5.2, and thus an execution of DEL.
Lastly, the whole point of the canonical execution of ho is that it generates ho.
Lemma 5.15 (Canonical Execution Generates its Heard-Of Collection). Let ho be a heard-of collection. Then h can(ho) = ho.
-Definition 5.13 implies that next j appears only in the changes s sequences, and only once in each changes s . So, since can(ho) is in changes r and so is between dels r and dels r+1 .
.mes and can(ho)[i] is between dels r and dels r+1 , Definition 5.13 implies that p ∈ ho(r, j). -Definition 5.13 ensures that dels r is before changes r in can(ho). Since p ∈ ho(r, j), so deliver(r, p, j) appears in can(ho) before index i and so r, p ∈ q can(ho) j [i].mes.

5.6.
A Complete Example: At Most F Crashes. Let's look at a concrete example to get a better grasp at how all these concepts work together, and the kind of results they allow us to prove. We consider DEL crash F from Definition 3.2, the message-passing model with asynchronous and reliable communication, and at most F permanent crashes. We now give a dominating strategy for this predicate, as well as compute its heard-of predicate. The folklore strategy for this model is to wait for at least n − F messages before allowing the change of round.
Definition 5.16 (waiting for n − F messages). The strategy to wait for n − F messages is To see why this strategy is used in the literature, remark that at least n − F messages must be delivered to each process at each round. Thus, waiting for that many messages ensures that no process is ever blocked. However, waiting for more will result in processes blocking forever if F crashes occur. Rephrased with the concepts introduced above, f n−F is a valid and dominating strategy for DEL crash Proof. We proceed by contradiction. Assume f n−F is invalid for DEL crash F . By Definition 5.17, there exists an invalid t ∈ execs f n−F (DEL crash F ). By Definition 5.17 of validity, ∃p ∈ Π, ∃N, ∀i ≥ N : t[i] = next p : there is a smallest round r such that some process j stays blocked at r forever in t. Because t is an execution of f , Definition 5.6 entails that infinitely many local states of j must be not in f n−F ; if it was not the case, the fairness condition would force the execution to contain another next j . Let also c t be a delivered collection of DEL crash F such that t ∈ execs(c). We know by Definition 3.2 of DEL crash F that card(c t (r, j)) ≥ n − F . The minimality of r and the fact that t ∈ execs(c) ensure by Definition 5.2 that all the messages in this delivered set are delivered at some point in t. By Definition 5.16 of f n−F , the local state of j is then in f n−F from this point on. By the fairness constraint of Definition 5.6, this contradicts the fact that there is never another next j in the suffix of t. We conclude that f n−F is valid for DEL crash F . The next step is to prove that this strategy is dominating the predicate. We first need to compute the heard-of predicate generated by f n−F . This heard-of predicate was given by Charron-Bost and Schiper [7] as a characterization of the asynchronous model with reliable communication and at most F crashes, without a formal proof. The intuition behind it is that even in the absence of crashes, we can make all the processes change round by delivering any set of at least n − F messages to them. ) an execution of f n−F generating ho. By Definition 5.6 of the executions of f n−F , processes change round (a next k event) only when their local state is in f n−F . By Definition 5.16, This means that this local state q satisfies card({k ∈ Π | q.round, k ∈ q.mes}) ≥ n − F }: the process received at least n − F messages tagged with the current value of its round counter. This in turns implies by Definition 5.9 of the heard-of collection of an execution that ∀r ∈ N * , ∀j ∈ Π : card(ho(r, j)) ≥ n − F . • (⊇). Let ho a heard-of collection over Π such that ∀r ∈ N, ∀j ∈ Π : card(ho(r, j)) ≥ n − F .
Let t be the canonical execution of ho; since DEL crash F contains the total collection, t is an execution of DEL crash F by Lemma 5.14. To prove that t is also an execution of f n−F , we proceed by contradiction. Assume it is not an execution of f n−F . By Definition 5.6, the problem stems either from breaking fairness or from some next p for some p at a point where the local state of p is not in f n−F . Since by Definition 5.13 of a canonical execution, ∀p ∈ Π : next p appears an infinite number of times, the only possibility left is the second one: there is some p ∈ Π and some next p transition in t that happens while the local state of p is not in f n−F . Let r be the smallest round where this happens, and j the process to which it happens. By Definition 5.13 of a canonical execution, j received all the messages from ho(r, j) in t before the problematic next j . By hypothesis, card(ho(r, j)) ≥ n − F . By Definition 5.16 of f n−F , the local state of j is in f n−F from this point on. By the fairness constraint of Definition 5.6, this contradicts the fact that j cannot change round at this point in t. Hence t is an execution of f n−F .
We conclude that ho ∈ HO f n−F (DEL crash F ). Finally, we want to vindicate the folklore intuition about this strategy: that it is optimal in some sense. Intuitively, waiting for more than n − F messages per round means risking waiting forever, and waiting for less is wasteful. Our domination order captures this concept of optimality: we show that f n−F is indeed a dominating strategy for DEL crash F . Therefore, Proof. Let f be a valid strategy for DEL crash F ; the theorem follows by Definition 5.10 from Let ho ∈ HO f n−F (DEL crash F ), and let t be the canonical execution of ho. Since DEL crash F contains the total collection, t is an execution of DEL crash F by Lemma 5.14. We need to prove that it is also an execution of f to conclude by Lemma 5.15 that f generates ho, and thus that the inequality above and the theorem hold. We do so by contradiction. Assume t is not an execution of f . By Definition 5.6, it is either because the fairness condition is broken or because some next p for some process p happens when the local state of p is not in f . Since Definition 5.13 of canonical executions implies that t contains an infinite number of next p for every process p ∈ Π, the problem must come from some next j done by a process j when j's local state is not in f . Let r be the first round where this happens. At the point of the forbidden next j , by Definition 5.13 of a canonical execution, j has received all the messages from previous rounds, and all the messages from ho(r, j). Then ho ∈ HO f n−F (DEL crash F ) implies that ho ∈ HO F by Theorem 5.18. It then follows from the definition of HO F that ho(r, j) contains at least n − F processes.
We define c block such that: This corresponds to the collection where all the processes from which j did not receive a message at the problematic next j in t are correct up to round r and then stop sending messages. c block is a delivered collection of DEL crash F by Definition 3.2: processes that stop sending messages never do again, and at most F processes do so because ho(r, j) contains at least n − F processes by the reasoning above.
Let t = st(f, c block ) be the standard execution of f on c block . Lemma 5.12 entails than t is an execution of f on c block . Since r is the smallest round in t with a wrong next j , for all rounds < r the local state of j is enough for f to allow the change of round. By Definition 5.11 of standard executions, all changes k for k < r contain a next transition for all processes in t . By the same definition, all dels k for k ≤ r of t contain the same deliveries for each process as the deliveries for j in the dels k of t. Hence, in t , all the processes reach round r, all get the same state as j in t at round r, and thus they all block at this round, which means the suffix of t is made of stop only. t is invalid, and so is f . This contradicts the hypothesis that f is valid; we conclude that ho ∈ HO f (DEL crash F ). Therefore, f n−F dominates f by Definition 5.10, where f is any valid strategy for DEL crash F , which means that f n−F dominates DEL crash F by Definition 5.10.
Waiting for n − f messages thus gives us the best heard-of predicate that can be implemented on DEL crash F . This means that there is no point in remembering messages from past rounds, and messages from future rounds are not used either. Intuitively, messages from past rounds are of no use in detecting crashes in the current round. As for messages from future rounds, they actually serve to detect that a process has not crashed when sending its messages from the current round. For this to actually change the heard-of predicate, it would require that some heard-of collection be impossible to generate when using this future information. This is not the case, as there is always an execution where no message from future rounds are delivered early (the canonical execution).

Oblivious Strategies: Looking Only at the Current Round
Because of the generality of strategies, considering them all brings many issues in proving domination. Yet there exist interesting classes of strategies on which results can be derived. Our first such class is the class of oblivious strategies: they depend only on the received messages from the current round. For example, f n−F is an oblivious strategy, as it counts messages from the current round. Despite their apparent simplicity, some oblivious strategies dominate non-trivial delivered predicates, as in the case of f n−F and DEL crash F . In this section, we define oblivious strategies and give a necessary and sufficient condition for an oblivious strategy to be valid (Section 6.1). This yields useful results on the composition of oblivious strategies (Section 6.2), and enables to compute the heard-of predicate of an oblivious strategy applied to a delivered predicate (Section 6.3). Finally, we give a sufficient condition for oblivious domination, and show that this condition is preserved by composition (Section 6.4).
6.1. Definition and Expressiveness. Oblivious strategies are a family of strategies in the sense of Definition 5.5 -where the equivalence relation between the local states compare only the messages received for the current round. Definition 6.1 (Oblivious Strategies and Nexts f ). Let obliv be the function such that ∀q ∈ Q : obliv(q) {k ∈ Π | q.round, k ∈ q.mes}. Let ≈ obliv the equivalence relation defined by q 1 ≈ obliv q 2 iff obliv(q 1 ) = obliv(q 2 ). The family of oblivious strategies is family(≈ obliv ).
For f an oblivious strategy, let Nexts f {obliv(q) | q ∈ f }. It uniquely defines f .
An oblivious strategy reduces to a collection of sets, the sets of processes from which receiving a message in the current round is enough to change round. The strategy allows the change of round if, and only if, the processes heard at the current round form a set in this collection. This provides a simple necessary condition on such a strategy f to be valid: its Nexts f set must contain all the delivered sets from the corresponding delivered predicate. If it does not, an execution would exist where the messages received at some round r by some process p are exactly this delivered set, which would block forever the process p and make the strategy invalid. This necessary condition also proves sufficient. Lemma 6.2 (Necessary and Sufficient Condition for Validity of an Oblivious Strategy). Let DEL be a delivered predicate and f be an oblivious strategy. Then f is valid for DEL ⇐⇒ f ⊇ {q | ∃c ∈ DEL, ∃p ∈ Π, ∃r > 0 : obliv(q) = c(r, p)}.

Proof.
• (⇒) Let f be valid for DEL. We show by contradiction that f contains all local states q such that ∃c ∈ DEL, ∃p ∈ Π, ∃r > 0 : obliv(q) = c(r, p). Assume there is some q block for which it is not the case: then ∃c ∈ DEL, r > 0 and j ∈ Π such that obliv(q block ) = c(r, j) and q block / ∈ f . By Definition 6.1, this means that for every q such that obliv(q) = obliv(q block ) = c(r, j), we have q / ∈ f . Let t = st(f, c) be the standard execution of f on c. This is an execution of f on c by Lemma 5.12. The sought contradiction is reached by proving that t is invalid. To do so, we split according to two cases: the first case is where there is a blocking process before round r, and the second case is where there is no blocking process before round r. This last case then uses the hypothesis on c(r, j) to show that all the processes block at r.
-During one of the first r − 1 iterations of t, there is some process which cannot change round. Let r be the smallest iteration where it happens, and k be a process unable to change round at the r -th iteration. By minimality of r , all the processes arrive at round r in t; by Definition 5.11 of the standard execution, all messages for k from round r are delivered before the change r part of the iteration. Let q be the local state of k at the start of change r in the r -th iteration, and let q be any local state of k afterward.
The above tells us that as long as q .round = q.round, we have obliv(q) = obliv(q ) and thus q / ∈ f . Therefore, k can never change round while at round r . We conclude that t is invalid by Definition 5.17.
-For the first r − 1 iterations, all the processes change round. Thus everyone arrives at round r in the r − 1-th iteration. By Definition 5.11 of the standard execution, all messages from the round are delivered before the change r part of the r-th iteration. Thus j is in a local state q at the change r part of the r-th iteration such that obliv(q) = c(r, j) = obliv(q block ). By hypothesis, this means q / ∈ f and thus that j cannot change round. Let q be any local state of j afterward. The above tells us that as long as q .round = r, we have obliv(q) = obliv(q ) = c(r, j) and thus q / ∈ f . Therefore, j can never change round while at round r. Here too, t is invalid by Definition 5.17. Either way, we reach a contradiction with the validity of f . Therefore f ⊇ {q | ∃c ∈ DEL, ∃p ∈ Π, ∃r > 0 : obliv(q) = c(r, p)}. • (⇐) Let DEL and f be such that f ⊇ {q | ∃c ∈ DEL, ∃p ∈ Π, ∃r > 0 : obliv(q) = c(r, p)}. We show by contradiction that f is valid. Assume the contrary: there is some t ∈ execs f (DEL) which is invalid. By Definition 5.17 of validity, there are some processes blocked at a round forever in t. Let r be the smallest such round, and j be a process blocked at round r in t. By minimality of r, all the processes arrive at round r. By Definition 5.2 of an execution of DEL, there is a c ∈ DEL such that t is an execution of c. This means by Definition 5.2 of an execution of a collection that all the messages from c(r, j) are eventually delivered. From this point on, every local state q of j satisfies obliv(q) = c(r, j); thus we have q ∈ f by hypothesis on f . Then the fairness condition of executions of f from Definition 5.6 imposes that j does change round at some point. We conclude that j is not blocked at round r in t, which contradicts the hypothesis that it is blocked forever at round r in t.
When taking the oblivious strategy satisfying exactly this condition for validity, it results in a strategy dominating the other oblivious ones. It follows from the fact that this strategy waits for the minimum sets required to be valid, hence the name of minimal oblivious strategy. Proof. First, f min is valid for DEL by application of Lemma 6.2. Next, we take another oblivious strategy f , which is valid for DEL. Lemma 6.2 now gives us that f min ⊆ f . When f min allows a change of round, so does f . This entails by Definition 5.6 that all executions of f min on DEL are also executions of f on DEL, and thus by Definition 5.9 that HO f min (DEL) ⊆ HO f (DEL). We conclude from Definition 5.10 that f min dominates any valid oblivious strategy for DEL.
These theorems guarantee that every delivered predicate has a strategy dominating the oblivious ones, by giving a means to build it. Of course, a formal definition is not the same as a constructive definition, which motivates the study of minimal strategies through the operations, and their relations to the operations on the corresponding predicates.
6.2. Composition of Oblivious Strategies. One fundamental property of minimal oblivious strategies is their nice behaviour under the proposed operations (union, combination, succession and repetition). That is, they give minimal oblivious strategies of resulting delivered predicates. Although this holds for all operations, succession and repetition are not useful here, as the succession of two minimal oblivious strategies is equal to their union, and the repetition of a minimal oblivious strategy is equal to the strategy itself. The first operation to study is therefore union. The minimal oblivious strategy of DEL 1 ∪ DEL 2 and DEL 1 DEL 2 is the same, as shown in the next theorem, and thus it's the union of the minimal oblivious strategies of DEL 1 and DEL 2 . Theorem 6.5 (Minimal Oblivious Strategy for Union and Succession). Let DEL 1 , DEL 2 be two delivered predicates, f 1 and f 2 the minimal oblivious strategies for, respectively, DEL 1 and DEL 2 . Then f 1 ∪ f 2 is the minimal oblivious strategy for DEL 1 ∪ DEL 2 and DEL 1 DEL 2 .
Proof idea. Structurally, every proof in this subsection amounts to showing equality between the strategies resulting from the operations and the minimal oblivious strategy for the delivered predicate. For a union, the messages that can be received at each round are the messages that can be received at each round in the first predicate or in the second. This is also true for succession. Given that f 1 and f 2 are the minimal oblivious strategies of DEL 1 and DEL 2 , they accept exactly the states where the messages received from the current round are in a delivered set of DEL 1 or a delivered set of DEL 2 . Thus f 1 ∪ f 2 is the minimal oblivious strategy for DEL 1 ∪ DEL 2 and DEL 1 DEL 2 .
-If c ∈ DEL 1 , then we take c 2 ∈ DEL 2 , and take c = c[1, r].c 2 . Since by Definition 4.1 c ∈ c c 2 , we have c ∈ DEL 1 DEL 2 . By definition of c , c (r, p) = c(r, p). We thus have c , p and r showing that obliv(q) = c (r, p), and thus q is in the set on the right.
-If c ∈ DEL 2 , then c ∈ DEL 1 DEL 2 by Definition 4.1. We thus have c, p and r showing that obliv(q) = c(r, p), and thus q is in the set on the right. • (⊇) Let q be such that ∃c ∈ DEL 1 DEL 2 , ∃p ∈ Π, ∃r > 0 : obliv(q) = c(r, p). -If c ∈ DEL 2 , then c ∈ DEL 1 ∪ DEL 2 by Definition 4.1. We thus have c, p and r showing that obliv(q) = c(r, p), and thus q is in the set on the left. -If c / ∈ DEL 2 , there exist c 1 ∈ DEL 1 , c 2 ∈ DEL 2 and r > 0 such that c = c 1 [1, r ].c 2 by Definition 4.1.

Vol. 17:3 CHARACTERIZATION AND DERIVATION OF HEARD-OF PREDICATES
26:25 * If r ≤ r , then by definition of c, we have c(r, p) = c 1 (r, p). We thus have c 1 , p and r showing that obliv(q) = c 1 (r, p), and thus q is in the set on the left. * If r > r , then c(r, p) = c 2 (r − r , p). We thus have c 2 , p and (r − r ) showing that obliv(q) = c 2 (r − r , p), and thus q is in the set on the left. We now show that f 1 ∪ f 2 = {q | ∃c ∈ DEL 1 ∪ DEL 2 , ∃p ∈ Π, ∃r > 0 : obliv(q) = c(r, p)}, which allows us to conclude by Definition 6.3 that f 1 ∪ f 2 is the minimal oblivious strategy for DEL 1 ∪ DEL 2 .
• Let q ∈ f 1 ∪f 2 . We fix q ∈ f 1 (the case q ∈ f 2 is symmetric). Then because f 1 is the minimal oblivious strategy of DEL 1 , by application of Lemma 6.2, ∃c 1 ∈ DEL 1 , ∃p ∈ Π, ∃r > 0 such that c 1 (r, p) = obliv(q). Also, c 1 ∈ DEL 1 ⊆ DEL 1 ∪ DEL 2 by Definition 4.1. We thus have c 1 , p and r showing that q is in the minimal oblivious strategy for DEL 1 ∪ DEL 2 . • Let q be such that ∃c ∈ DEL 1 ∪ DEL 2 , ∃p ∈ Π, ∃r > 0 : c(r, p) = obliv(q). By Definition 4.1 of operations on strategies, and specifically union, c must be in DEL 1 or c must be in DEL 2 ; we fix c ∈ DEL 1 (the case DEL 2 is symmetric). Then Definition 6.3 gives us that q is in the minimal oblivious strategy of DEL 1 , that is f 1 . We conclude that q ∈ f 1 ∪ f 2 .
For the same reason that succession is indistinguishable from union, repetition is indistinguishable from the original predicate: the delivered sets are the same, because every collection of the repetition is built from prefixes of collections of the original predicate. Thus, the minimal oblivious strategy for a repetition is the same strategy as the minimal oblivious strategy of the original predicate.
Theorem 6.6 (Minimal Oblivious Strategy for Repetition). Let DEL be a delivered predicate, and f be its minimal oblivious strategy. Then f is the minimal oblivious strategy for DEL ω .
• (⊆) Let q ∈ f . By minimality of f for DEL, ∃c ∈ DEL, ∃p ∈ Π, ∃r > 0 : obliv(q) = c(r, p). We take c ∈ DEL ω such that c 1 = c and r 2 = r; the other c i and r i don't matter for the proof. By Definition 4.1 of operations on predicates, and specifically repetition, we get c (r, p) = c(r, p) = obliv(q). We have c , p and r showing that q is in the minimal oblivious strategy of DEL ω . • (⊇) Let q be such that ∃c ∈ DEL ω , ∃p ∈ Π, ∃r > 0 : obliv(q) = c(r, p). By Definition 4.1 of operations on predicates, and specifically repetition, there are c i ∈ DEL and 0 < r i < r i+1 such that r ∈ [r i + 1, r i+1 ] and c(r, p) = c i (r − r i , p). We have found c i , p and (r − r i ) showing that q is in the minimal oblivious strategy for DEL. Since f is the minimal oblivious strategy for DEL, we get q ∈ f .
Combination is different from the other operations, as combining collections is done round by round. Since oblivious strategies do not depend on the round, the combination of two oblivious strategies will accept the combination of any two states accepted, that is, it will accept any intersection of the delivered set of received messages from the current round in the first state and the delivered set of received messages from the current round in the second state. Yet when taking the combination of two predicates, maybe the collections are such that these two delivered sets used in the intersection above never happen at the same round, and thus never appear in the combination of collections.
To ensure that every intersection of pairs of delivered sets, one from a collection from each predicate, happens in the combination of predicates, we add an assumption: the symmetry of the predicate over processes and over rounds. This means that for any delivered set D of the predicate, for any round and any process, there is a collection of the predicate where D is the delivered set for some round and some process. DEL crash F is an example of round symmetric delivered predicate: all processes are equivalent, and crashes can happen at any round. Definition 6.7 (Round Symmetric DEL). Let DEL be a delivered predicate. DEL is round symmetric iff ∀c ∈ DEL, ∀r > 0, ∀k ∈ Π, ∀r > 0, ∀k ∈ Π, ∃c ∈ DEL : c(r, k) = c (r , j). Theorem 6.8 (Minimal Oblivious Strategy for Combination). Let DEL 1 , DEL 2 be two round symmetric delivered predicates, f 1 and f 2 the minimal oblivious strategies for, respectively, DEL 1 and DEL 2 . Then f 1 f 2 is the minimal oblivious strategy for DEL 1 DEL 2 .
Proof idea. The oblivious states of DEL 1 DEL 2 are the combination of an oblivious state of DEL 1 and of one of DEL 2 at the same round, for the same process. Thanks to round symmetry, this translates into the combination of any oblivious state of DEL 1 with any oblivious state of DEL 2 . Since f 1 and f 2 are the minimal oblivious strategy, they both accept exactly the oblivious states of DEL 1 and DEL 2 respectively. Thus f 1 f 2 accepts all the combinations of oblivious states of DEL 1 and DEL 2 , and is the minimal oblivious strategy of DEL 1 DEL 2 .
This subsection shows that as long as predicates are built from simple building blocks with known minimal oblivious strategies, the minimal oblivious strategy of the result can be explicitly constructed.

Computing Heard-Of Predicates of Oblivious Strategies.
Once the minimal oblivious strategy has been computed, the next step is to extract the heard-of predicate for this strategy: the smallest predicate (all its collections are contained in the other predicates) generated by an oblivious strategy for this delivered predicate. This ends up being simple: it is the product of all delivered sets. Here is the intuition: defining a heard-of collection requires, for each round and each process, the corresponding heard-of set. A heard-of product is then the set of all collections that have heard-of sets from the set given as argument. So the total heard-of predicate (containing only the total collection) is the heard-of product of the set Π. And HO F is the heard-of product of all subsets of Π of size ≥ n − F .
The following lemma links the Nexts f of some valid oblivious strategy and the heard-of predicate for this strategy: the predicate is the heard-of product of the Nexts f . Proof.
• (⊆) To prove this first direction, we show that the heard-of sets of any collection in HO f (DEL) are in Nexts f . This then entails that HO f (DEL) ⊆ HOProd(Nexts f ). By Definition 5.9 of the heard-of collection of an execution, every heard-of set contains the set of messages from the current round that was already received at the next p transition where the process p changed round. By Definition 5.6 of the executions of a strategy, such a next p transition can only happen if the local state of the process p is in f . By Definition 6.1 of oblivious strategies, f contains exactly the states such that the messages received from the current round form a set in Nexts f . Therefore, the heard-of set of any collection generated by f on a collection of DEL are necessarily in Nexts f . • (⊇) Let ho be a heard-of collection such that ∀r > 0, ∀j ∈ Π : ho(r, j) ∈ Nexts f . Let t be the canonical execution of ho. It is an execution by Lemma 5.14. By Definition 5.13, at each round, processes receive a set of messages in Nexts f . By Definition 6.1 of oblivious strategies, this entails that the local states are in f when the processes change rounds. And so, by Definition 5.6, it is an execution of f . Hence t is an execution of f on DEL, because DEL contains the total predicate. Since t = can(ho), Lemma 5.15 implies that h t = ho. We conclude that ho ∈ HO f (DEL).
Thanks to this characterization, the heard-of predicate generated by the minimal strategies for the operations is computed in terms of the heard-of predicate generated by the original minimal strategies.
Theorem 6.11 (Heard-Of Predicate of Minimal Oblivious Strategies). Let DEL, DEL 1 , DEL 2 be delivered predicates containing c total . Let f, f 1 , f 2 be their respective minimal oblivious strategies. Then: Proof. Obviously, we want to apply Lemma 6.10. Then we first need to show that the delivered predicates contain c total .
• By hypothesis, DEL 1 and DEL 2 contain c total . Then DEL 1 ∪ DEL 2 trivially contains it too by Definition 4.1 of operations on predicates. • By hypothesis, DEL 1 and DEL 2 contain c total . Then DEL 1 DEL 2 contains c total c total = c total by Definition 4.1 of operations on predicates.
• By hypothesis, DEL contains c total . We can recreate c total by taking all c i = c total and whichever r i . Thus DEL ω contains c total by Definition 4.1 of operations on predicates. Next, the strategies f 1 ∪ f 2 , f 1 f 2 and f are the respective minimal oblivious strategies by Theorem 6.5, Theorem 6.8 and Theorem 6.6. They are also valid by Theorem 6.2.
Lastly, we need to show that the Nexts f for the strategies corresponds to the generating sets in the theorem.

and thus that
HOProd Then ∃q ∈ f 1 f 2 : obliv(q) = n. By Definition 4.1 of operations on predicates, and specifically of combination, ∃q 1 ∈ f 1 , ∃q 2 ∈ f 2 : q 1 .round = q 2 .round = q.round ∧ q = q 1 q 2 . This means n = obliv(q) = obliv(q 1 ) ∩ obliv(q 2 ). We conclude that n ∈ {n 1 ∩ n 2 | n 1 ∈ Nexts f 1 ∧ n 2 ∈ Nexts f 2 } by Definition 6.1 of oblivious strategies. -(⊇) Let n ∈ {n 1 ∩ n 2 | n 1 ∈ Nexts f 1 ∧ n 2 ∈ Nexts f 2 }. Then ∃n 1 ∈ Nexts f 1 , ∃n 2 ∈ Nexts f 2 : n = n 1 ∩ n 2 . By Definition 6.1 of oblivious strategies, and because f 1 and f 2 are oblivious strategies, we can find q 1 ∈ f 1 such that obliv(q 1 ) = n 1 , q 2 ∈ f 2 such that obliv(q 2 ) = n 2 , and q 1 .round = q 2 .round. Then q = q 1 q 2 is a state of f 1 f 2 . We have obliv(q) = n 1 ∩ n 2 = n. We conclude that n ∈ Nexts f 1 f 2 by Definition 6.1 of oblivious strategies. • Trivially, Nexts f = Nexts f . 6.4. Domination by Oblivious Strategies. Finally, the value of oblivious strategies depends on which delivered predicates have a dominating oblivious strategy. DEL crash F does, with the strategy f n−F . We consider delivered predicates that satisfy the so-called common round property. This condition captures the fact that given any delivered set D, one can build, for any r > 0, a delivered collection where processes receive all the messages up to round r, and then they share D as their delivered set in round r. As a limit case, the predicate also contains the total collection. This common round property is preserved by the composition operators, which allows to derive complex dominating oblivious strategies from simple ones. • (Common round) ∀c ∈ DEL, ∀r > 0, ∀j ∈ Π, ∀r > 0, ∃c ∈ DEL, ∀p ∈ Π : (∀r < r : c (r , p) = Π ∧ c (r , p) = c(r, j)).
What the common round property captures is what makes DEL crash F be dominated by an oblivious strategy: if one process j might block at round r even after receiving all messages from round r in some collection c of DEL, and all messages from rounds < r, then there is a collection and an execution where all processes block in the same way. The collection ensures that the delivered collection gives each process the same delivered sets (Π) for rounds < r, and c(r, j) at round r. The execution is the standard execution of this collection, that puts every process at round r in the same blocking state as j, and so a deadlock occurs. The conclusion is that any valid strategy should allow to change round when all messages from previous rounds are received, and the messages received for the current round form a delivered set from a collection of DEL. Applying this reasoning to the canonical executions of heard-of collections from HO f min (DEL) yields that the canonical executions are executions of any valid strategy for DEL (not only oblivious ones), and thus that for any valid strategy f for DEL, HO f min (DEL) ⊆ HO f (DEL). That is to say, DEL is dominated by an oblivious strategy. Theorem 6.13 (Sufficient Condition of Oblivious Domination). Let DEL be a delivered predicate satisfying the common round property. Then, there is an oblivious strategy that dominates DEL.
Proof. Let f min be the minimal oblivious strategy for DEL. It dominates the oblivious strategies for DEL by Lemma 6.4. We now prove that f min dominates DEL. This amount to showing that for f , a valid strategy for DEL, we have f ≺ DEL f min , that is HO f min (DEL) ⊆ HO f (DEL). Let ho ∈ HO f min (DEL) and t be the canonical execution of ho. We show that t is an execution of f , which entails by Lemma 5.15 that ho ∈ HO f (DEL).
By Definition 6.12 of the common round property, DEL contains c total . By Lemma 5.14, t is an execution of c total , and thus an execution of DEL. We now prove by contradiction it is also an execution of f on DEL. Assume it is not. By Definition 5.6 of the executions of a strategy, the problem comes either from breaking fairness or from some next j for some process j at a point where the local state of j is not in f . Since for every j ∈ Π : next j happens an infinite number of times in t by Definition 5.13 of a canonical execution, the only possibility left is the second one: some next j in t is done while the local state of j is not in f . There thus exists a smallest r such that some process j is not allowed by f to change round when next j is played at round r in t. Lemma 6.10 yields that HO f min (DEL) = HOProd(Nexts f min ). By Definition 6.3 of minimal oblivious strategies, Nexts f min = {c(r , p) | c ∈ DEL ∧ r > 0 ∧ p ∈ Π}. Thus ∃c ∈ DEL, ∃r > 0, ∃p ∈ Π : ho(r, j) = c(r , p). Since DEL satisfies the common round property (Definition 6.12), it allows us to build c block ∈ DEL such that ∀r < r, ∀k ∈ Π : c block (r , k) = Π and ∀k ∈ Π : c block (r, k) = c(r , j) = ho(r, j). Finally, we build t block = st(f , c block ) the standard execution of f on c block . By Lemma 5.12, we know t block is an execution of f on c block . We then show that it is invalid by examining the two possibilities.
• During one of the first r − 1 iterations of t block , there is some process that cannot change round. Let r be the smallest iteration where it happens, and k be a process unable to change round at the r -th iteration. By minimality of r , all the processes arrive at round r , and by definition of c block they all receive the same messages as k before changes r . That means every process has the same local state as k. Thus, all the processes are blocked at round r , there are no more round changes or deliveries, and t block is invalid by Definition 5.17 of validity.
• For the first r − 1 iterations, every process changes round. Thus everyone arrives at round r. By Definition 5.11 of the standard execution, all messages from round r are delivered before the change r section. The definition of c block also ensures that every process received the same messages, that is all the messages from round < r and all the messages from ho(r, j). These are the messages received by j in t at round r. By hypothesis, j is blocked in this state in t. We thus deduce that all the processes are blocked at round r in t block , and that t block is an invalid execution by Definition 5.17 of validity. Either way, we deduce that f is invalid, which is a contradiction. We conclude that t is an execution of f on DEL. Lemma 5.15 therefore implies that ho ∈ HO f (DEL). This entails that HO f min (DEL) ⊆ HO f (DEL), and thus that f ≺ DEL f min . We conclude that f min dominates DEL by Definition 5.10. This condition is maintained by the operations. Hence any predicate built from ones satisfying this condition will still be dominated by an oblivious strategy. Theorem 6.14 (Domination by Oblivious for Operations). Let DEL, DEL 1 , DEL 2 be delivered predicates satisfying the common round property. Then DEL 1 ∪ DEL 2 , DEL 1 DEL 2 , DEL 1 DEL 2 , DEL ω also satisfy the common round property.
Proof. Thanks to Theorem 6.13, we have to show that the condition is maintained by the operations; the domination by an oblivious strategy directly follows from Theorem 6.13. The fact that c total is still in the results of the operations was already shown in the proof of Theorem 6.11. Hence we show the invariance of the common round part.
• Let c ∈ DEL 1 ∪ DEL 2 . Thus c ∈ DEL 1 or c ∈ DEL 2 . We fix c ∈ DEL 1 (the other case is symmetric). Then for p ∈ Π, r > 0 and r > 0, we get a c ∈ DEL 1 satisfying the condition of Definition 6.12 by the hypothesis that DEL 1 satisfies the common round property. Since DEL 1 ⊆ DEL 1 ∪ DEL 2 , we get c ∈ DEL 1 ∪ DEL 2 . We conclude that the condition still holds for DEL 1 ∪ DEL 2 . • Let c ∈ DEL 1 DEL 2 . Then ∃c 1 ∈ DEL 1 , ∃c 2 ∈ DEL 2 : c = c 1 c 2 . For p ∈ Π, r > 0 and r > 0, our hypothesis on DEL 1 and DEL 2 ensures that there are c 1 ∈ DEL 1 satisfying the condition of Definition 6.12 for c 1 and c 2 ∈ DEL 2 satisfying the condition of Definition 6.12 for c 2 . We argue that c = c 1 c 2 satisfies the condition of Definition 6.12 for c. Indeed, ∀r < r , ∀q ∈ Π : c(r , q) = c 1 (r , q) c 2 (r , q) = Π and ∀q ∈ Π : c(r , q) = c 1 (r , q) c 2 (r , q) = c 1 (r, p) c 2 (r, p) = c(r, p). We conclude that the condition of Definition 6.12 still holds for DEL 1 DEL 2 . • Let c ∈ DEL 1 DEL 2 . Since if c ∈ DEL 2 the condition of Definition 6.12 trivially holds by hypothesis, we study the case where succession actually happens. Hence ∃c 1 ∈ DEL 1 , ∃c 2 ∈ DEL 2 , ∃r change > 0 : c = c 1 [1, r change ].c 2 . For p ∈ Π, r > 0 and r > 0, we consider two cases.

Vol. 17:3 CHARACTERIZATION AND DERIVATION OF HEARD-OF PREDICATES 26:31
We conclude that the condition of Definition 6.12 still holds for DEL 1 DEL 2 . • Let c ∈ DEL ω . Let (c i ) and (r i ) be the collections and indices defining c. We take p ∈ Π, r > 0 and r > 0. Let i > 0 be the integer such that r ∈ [r i + 1, r i+1 ]. By hypothesis on DEL, there is c i ∈ DEL satisfying the condition of Definition 6.12 for c i at p and r − r i . That is, . We argue that c i ∈ DEL satisfies the condition of Definition 6.12 for c. Indeed, ∀r ≤ r , ∀q ∈ Π, we have: c i (r , q) = Π and ∀q ∈ Π : c i (r , q) = c i (r − r i , p) = c(r, p). We conclude that the condition of Definition 6.12 still holds for DEL ω .
Therefore, as long as the initial building blocks satisfy the common round property, so do the results of the operations -and the latter is dominated by its minimal oblivious strategy, a strategy that can be computed easily from the results of this section.

Conservative Strategies: Looking at Present and Past Rounds
The class of considered strategies expands the class of oblivious strategies by considering past rounds and the round number in addition to the present round. This is a generalization of oblivious strategies that trades simplicity for expressivity, while retaining a nice structure. The structure of this section is similar to the previous one: it defines conservative strategies and give a necessary and sufficient condition for a conservative strategy to be valid (Section 7.1), presents results on the composition of conservative strategies (Section 7.2) that enables to compute upper bounds on the heard-of predicates of conservative strategies (Section 7.3), and ends with a sufficient condition for conservative domination, condition preserved by composition (Section 7.4).
Let ≈ cons the equivalence relation defined by q 1 ≈ cons q 2 if cons(q 1 ) = cons(q 2 ). The family of conservative strategies is family(≈ cons ). We write Nexts C f {cons(q) | q ∈ f } for the set of conservative states in f . This uniquely defines f .
In analogy with the case of oblivious strategies, there is an intuitive necessary and sufficient condition for such a strategy to be valid for a given delivered predicate.

Lemma 7.2 (Necessary and Sufficient Condition for Validity of a Conservative Strategy).
Let DEL be a delivered predicate and f be a conservative strategy. Then f is valid for DEL ⇐⇒ f ⊇ {q ∈ Q | ∃c ∈ DEL, ∃p ∈ Π, ∀r ≤ q.round : q(r) = c(r, p)}.

Proof.
• (⇒) Let f be valid for DEL. We show by contradiction that it satisfies the right-hand side of the above equivalence. Assume there is q block a local state such that ∃c ∈ DEL, ∃r > 0, ∃j ∈ Π : cons(q block ) = r, { r , k | r ≤ r ∧ k ∈ c(r , j)} and q / ∈ f . By Definition 7.1, this means that for every q such that cons(q) = cons(q block ) = r, { r , k | r ≤ r ∧ k ∈ c(r , j)} , q / ∈ f . Let t = st(f, c) be the standard execution of f on c. This is an execution of f on t by Lemma 5.12. The sought contradiction is reached by proving that t is invalid for DEL, and thus f is invalid for DEL too. To do so, we split according to two cases: the first is the case where there is a blocking process before round r, and the other uses the hypothesis on the prefix of c for j up to round r.
-During one of the first r − 1 iterations of t, there is some process which cannot change round. Let r be the smallest iteration of the canonical execution where it happens, and k be a process unable to change round at the r -th iteration. By minimality of r , all the processes arrive at round r in t; by Definition 5.11 of the standard execution, all messages for k from all rounds up to r are delivered before the change part of the iteration. Let q the local state of k at the start of change r , and let q be any local state of k afterward. The above tells us that as long as q .round = q.round, we have cons(q) = cons(q ) and thus q / ∈ f . Therefore, k can never change round while at round r . We conclude that t is invalid for DEL by Definition 5.17.
-For the first r − 1 iterations, all the processes change round. Thus everyone arrives at round r in the r − 1-th iteration. By Definition 5.11 of the standard execution, all messages from rounds up to r are delivered before the change r part of the r-th iteration. Thus j is in a local state q at the change r part of the r-th iteration such that cons(q) = r, { r , k | r ≤ r ∧ k ∈ c(r , j)} = cons(q block ). By hypothesis, this means q / ∈ f thus that j cannot change round. Let q be any local state of j afterward. The above tells us that as long as q .round = q.round, we have cons(q) = cons(q ) and thus q / ∈ f . Therefore, j can never change round while at round r. Here too, t is invalid for DEL by Definition 5.17. Either way, we reach a contradiction with the validity of f for DEL. • (⇐) Let DEL and f be such that ∀c ∈ DEL, r, { r , k | r ≤ r ∧ k ∈ c(r , j)} ∈ Nexts C f . We show by contradiction that f is valid for DEL. Assume the contrary: there is some t ∈ execs f (DEL) that is invalid for DEL. Thus there are some processes blocked at a round forever in t. Let r be the smallest such round, and j be a process blocked at round r in t. By minimality of r, all the processes arrive at round r. By Definition 5.2 of an execution of DEL, there is a c ∈ DEL such that t is an execution of c. This means by Definition 5.2 of an execution of a collection that all messages from all the delivered sets of j up to round r are eventually delivered. From this point on, every local state q of j satisfies cons(q) = r, { r , k | r ≤ r ∧ k ∈ c(r , j)} ; thus we have q ∈ f by hypothesis on f . Then the fairness condition of executions of f from Definition 5.6 imposes that j does change round at some point. We conclude that j is not blocked at round r in t, which contradicts the hypothesis that j is blocked forever at round r in t.
The strategy satisfying exactly this condition is the minimal conservative strategy of DEL, and it is a strategy dominating all the conservative strategies for this delivered predicate. Definition 7.3 (Minimal Conservative Strategy). Let DEL be a delivered predicate. Then the minimal conservative strategy for DEL is f min the conservative strategy such that f = {q ∈ Q | ∃c ∈ DEL, ∃p ∈ Π, ∀r ≤ q.round : q(r) = c(r, p)}.
Intuitively, when every message from a prefix is delivered, there is no message left from past and present; a valid conservative strategy has to accept the state, or it would be blocked forever.
Remark 7.4 (Prefix and conservative state of a prefix). Intuitively, a prefix of a collection c for a process p at round r is the sequence of sets of messages received by p at rounds ≤ r in c. Then we can define a state corresponding to this prefix by fixing its round at r and Proof. We only have to show that f 1 ∪ f 2 is equal to Definition 7.3.
• (⊇) Let q be a state such that ∃c ∈ DEL 1 ∪ DEL 2 , ∃p ∈ Π such that ∀r ≤ q.round : q(r) = c(r, p). If c ∈ DEL 1 , then q ∈ f 1 , by Definition 7.3 of the minimal conservative strategy because f 1 is the minimal conservative strategy for DEL 1 , and by application of Lemma 7.2.
Thus q ∈ f 1 ∪ f 2 . If c ∈ DEL 2 , the same reasoning applies with f 2 in place of f 1 . We conclude that q ∈ f 1 ∪ f 2 . • (⊆) Let q ∈ f 1 ∪ f 2 . This means that q ∈ f 1 ∨ q ∈ f 2 . The case where it is in both can be reduced to any of the two. If q ∈ f 1 , then by Definition 7.3 of the minimal conservative strategy and by minimality of f 1 , ∃c 1 ∈ DEL 1 , ∃p 1 ∈ Π such that ∀r ≤ q.round : q(r) = c 1 (r, p 1 ). DEL 1 ⊆ DEL 1 ∪ DEL 2 , thus c 1 ∈ DEL 1 ∪ DEL 2 . We have found the c and p necessary to show q is in the minimal conservative strategy for DEL 1 ∪ DEL 2 . If q ∈ f 2 , the reasoning is similar to the previous case, replacing f 1 by f 2 and DEL 1 by DEL 2 .
For the other three operations, slightly more structure is needed on the predicates. More precisely, they have to be independent of the processes. We require that any prefix of a process k in a collection of the predicate is also the prefix of any other process j in a possibly different collection of the same DEL. Hence the behaviors (fault, crashes, loss) are not targeting specific processes. This restriction fits the intuition behind many common fault models.
This differs from the previous round symmetric DEL, in that here we focus on prefixes, while the other focused on rounds. Notice that none implies the other: round symmetry says nothing about the rest of the prefix, and prefix symmetry says nothing about the delivered sets when rounds are different. Assuming prefix symmetry, the conservation of the minimal conservative strategy by combination, succession and repetition follows. Proof idea. Since f 1 and f 2 are the minimal conservative strategies of DEL 1 and DEL 2 , Nexts C f 1 is the set of the conservative states of prefixes of DEL 1 and Nexts C f 2 is the set of the conservative states of prefixes of DEL 2 . Also, the states accepted by f 1 f 2 are the combination of the states accepted by f 1 and the states accepted by f 2 . The prefixes of DEL 1 DEL 2 are the prefixes of DEL 1 combined with the prefixes of DEL 2 for the same process. Thanks to prefix symmetry, we can take a prefix of DEL 2 and any process, and find a collection such that the process has that prefix. Therefore, the combined prefixes for the same process are the same as the combined prefixes of DEL 1 and DEL 2 . Thus Nexts C f 1 f 2 is the set of conservative states of prefixes of DEL 1 DEL 2 , and f 1 f 2 is its minimal conservative strategy.
Proof. We only need to show that f 1 f 2 is equal to Definition 7.3.
Theorem 7.9 (Minimal Conservative Strategy for Succession). Let DEL 1 , DEL 2 be two prefix symmetric delivered predicates, f 1 and f 2 the minimal conservative strategies for, respectively, DEL 1 and DEL 2 . Then f 1 f 2 is the minimal conservative strategy for DEL 1 DEL 2 .
Proof idea. Since f 1 and f 2 are the minimal conservative strategies of DEL 1 and DEL 2 , Nexts C f 1 is the set of the conservative states of prefixes of DEL 1 and Nexts C f 2 is the set of the conservative states of prefixes of DEL 2 . Also, the states accepted by f 1 f 2 are the succession of the states accepted by f 1 and the states accepted by f 2 . The prefixes of DEL 1 DEL 2 are the successions of prefixes of DEL 1 and prefixes of DEL 2 for the same process. Thanks to prefix symmetry, we can take a prefix of DEL 2 and any process, and find a collection such that the process has that prefix. Therefore, the succession of prefixes for the same process are the same as the succession of prefixes of DEL 1 and DEL 2 . Thus Nexts C f 1 f 2 is the set of conservative states of prefixes of DEL 1 DEL 2 , and is its minimal conservative strategy.
-If r = 0, then c[1, r] = c 2 [1, r], and thus ∀r ≤ q.round : q(r ) = c 2 (r , p). First, f 2 is valid for DEL 2 by Lemma 7.2 and Definition 7.3. Then the validity of f 2 and Lemma 7.2 allow us to conclude that q ∈ f 2 and thus that q ∈ f 1 f 2 . -If r > 0, we have two cases to consider.
-If q ∈ f 1 , then by Definition 7.3 of the minimal conservative strategy and minimality of f 1 for DEL 1 , we have ∃c 1 ∈ DEL 1 , ∃p 1 ∈ Π : ∀r ≤ q.round : q(r) = c 1 (r, p 1 ). Let c 2 ∈ DEL 2 . We take c = c 1 [1, q.round].c 2 ; we have c ∈ c 1 c 2 by Definition 4.1 of operations for predicates. Then, ∀r ≤ q.round : q(r) = c 1 (r, p 1 ) = c(r, p 1 ). We have found c and p showing that q is in the minimal conservative strategy for DEL 1 DEL 2 by Definition 7.3.
Theorem 7.10 (Minimal Conservative Strategy for Repetition). Let DEL be a prefix symmetric delivered predicate, and f be its minimal conservative strategy. Then f ω is the minimal conservative strategy for DEL ω .
Proof. We only have to show that f ω is equal to Definition 7.3.
• (⊇) Let q be a state such that ∃c ∈ DEL ω , ∃p ∈ Π such that ∀r ≤ q.round : q(r) = c(r, p). By Definition 4.1 of operations for predicates, and specifically of repetition, . Let k be the biggest integer such that r k ≤ q.round. We consider two cases.
We have found c and p showing that q is in the minimal conservative strategy for DEL ω by Definition 7.3.

7.3.
Computing Heard-Of Predicates of Conservative Strategies. The analogy with oblivious strategies breaks here: the heard-of predicate of conservative strategies is hard to compute, as it depends in intricate ways on the delivered predicate itself. Yet it is still possible to compute interesting information on this HO: upper bounds. These are overapproximations of the actual HO, but they can serve for formal verification of LTL properties. Indeed, the executions of an algorithm for the actual HO are contained in the executions of the algorithm for any overapproximation of the HO, and LTL properties must be true for all executions of the algorithm. So proving the property on an overapproximation also proves it on the actual HO. ) .
Proof. An oblivious strategy is a conservative strategy. Therefore, the minimal conservative strategy always dominates the minimal oblivious strategy. Hence we get an upper bound on the heard-of predicate of the minimal conservative strategies by applying Theorem 6.11. 7.4. Domination by Conservative Strategies. Some examples above, like DEL crash 1,≥r (see Table 1), are not dominated by oblivious strategies, but are dominated by conservative strategies. This follows from a condition on delivered predicates and its invariance by the operations, similar to the case of oblivious strategies. Let's start by defining that condition and then showing that it implies domination by a conservative strategy. Definition 7.12 (Common Prefix Property). Let DEL be a delivered predicate. DEL satisfies the common prefix property ∀c ∈ DEL, ∀p ∈ Π, ∀r > 0, ∃c ∈ DEL, ∀q ∈ Π, ∀r ≤ r : c (r , q) = c(r , p).
The common prefix property, as its name suggests, works just like the common round property but for a prefix. It ensures that for every prefix of a collection in the predicate, there exists a collection where every process shares this prefix. Proof. The proof is the same as for the oblivious case, except that the common prefix property gives us a delivered collection where everyone has the same exact prefix as the blocked process in the canonical execution.
Theorem 7.14 (Domination by Conservative for Operations). Let DEL, DEL 1 , DEL 2 be delivered predicates with the common prefix property. Then DEL 1 ∪ DEL 2 , DEL 1 DEL 2 , DEL 1 DEL 2 , DEL ω satisfy the common prefix property. Proof.
• Let c ∈ DEL 1 ∪ DEL 2 . Thus c ∈ DEL 1 or c ∈ DEL 2 by Definition 4.1. We fix c ∈ DEL 1 (the other case is symmetric). Then for p ∈ Π and r > 0, we get a c ∈ DEL 1 satisfying the condition of Definition 7.12. Since DEL 1 ⊆ DEL 1 ∪ DEL 2 , we get c ∈ DEL 1 ∪ DEL 2 . We conclude that the common prefix property still holds for DEL 1 ∪ DEL 2 by Definition 7.12. • Let c ∈ DEL 1 DEL 2 . Then ∃c 1 ∈ DEL 1 , ∃c 2 ∈ DEL 2 : c = c 1 c 2 . For p ∈ Π and r > 0, our hypothesis on DEL 1 and DEL 2 ensures that there are c 1 ∈ DEL 1 satisfying the condition of Definition 7.12 for c 1 and c 2 ∈ DEL 2 satisfying the condition of Definition 7.12 for c 2 . We argue that c = c 1 c 2 satisfies the condition of Definition 7.12 for c. Indeed, ∀r ≤ r, ∀q ∈ Π : c(r , q) = c 1 (r , q) c 2 (r , q) = c 1 (r , p) c 2 (r , p) = c(r , p). We conclude that the condition of Definition 7.12 still holds for DEL 1 DEL 2 . • Let c ∈ DEL 1 DEL 2 . Since if c ∈ DEL 2 , the condition holds by hypothesis, we study the case where succession actually happens. Hence ∃c 1 ∈ DEL 1 , ∃c 2 ∈ DEL 2 , ∃r change > 0 : c = c 1 [1, r change ].c 2 . For p ∈ Π and r > 0, our hypothesis on DEL 1 and DEL 2 ensures that there are c 1 ∈ DEL 1 satisfying the condition for c 1 at r and c 2 ∈ DEL 2 satisfying the condition for c 2 at r − r change . We argue that c = c 1 [1, r change ].c 2 satisfies the condition for c. Indeed, ∀r ≤ r, ∀q ∈ Π, we have: if r ≤ r change : c (r , q) = c 1 (r , q) = c 1 (r , p) = c(r , p); and if r > r change : c (r , q) = c 2 (r − r change , q) = c 2 (r − r change , p) = c(r , p). We conclude that the condition still holds for DEL 1 DEL 2 . • Let c ∈ DEL ω , p ∈ Π, r > 0 and let's prove that ∃c ∈ DEL ω , ∀q ∈ Π, ∀r ≤ r : c (r , q) = c(r , p). c ∈ DEL ω , so by Definition 4.1, there exist (c i ) and (r i ) such that: r 1 = 0 ∧ ∀i ∈ N * : (c i ∈ DEL ∧ r i < r i+1 ∧ c[r i + 1, r i+1 ] = c i [1, r i+1 − r i ]). ∀i ∈ N * : c i ∈ DEL, so by hypothesis and Definition 7.12, ∀i ∈ N * , ∃c i ∈ DEL, ∀q ∈ Π, ∀r ≤ r : c i (r , q) = c i (r , p). Let c = i>0 c i [1, r i+1 − r i ]. By definition, c ∈ DEL ω . Let q ∈ Π and r ≤ r and let's prove that c (r , q) = c(r , p). Let i ∈ N * such that r i + 1 ≤ r ≤ r i+1 . Then, c (r , q) = c i (r − r i , q) = c i (r − r i , p) = c(r , p). We conclude that the condition of Definition 7.12 still holds for DEL ω .
Therefore, as long as the initial building blocks satisfy the common prefix property, so do the results of the operations. Thus the latter is dominated by its minimal conservative strategy -a strategy that can be computed from the results of this section.

Looking at Future Rounds
In the above, the dominating strategy was at most conservative: only the past and present rounds were useful for generating heard-of collections. Nevertheless, messages from future rounds serve in some cases. This section provides a preliminary exploration of the topic, with an example and a conjecture. Let's go back to DEL loss 1 , the delivered predicate for at most one message loss presented in Section 3. The minimal oblivious strategy for this predicate is f n−1 . The minimal conservative strategy is a similar one, except that when it received a message from p at round r, it waits for all messages from p at previous rounds. However, this does not change which messages the strategy waits for in the current round: n − 1 messages, because one can always deliver all the messages from the past, and then the loss might be a message from the current round. However, if the strategy considers messages from the next round, it can ensure that at each round, at most one message among all processes is not delivered on time.
The strategy presented here waits for either all messages from the current round, or for all but one messages from the current round and all but one message from the next round.
Definition 8.1 (Strategy for One Loss). Let after : Q → P(Π) such that ∀q ∈ Q : after(q) = {k ∈ Π | q.round + 1, k ∈ q.mes}. Then f loss q ∈ Q card(obliv(q)) = card(Π) ∨ (card(after(q)) = card(Π) − 1 ∧ card(obliv(q)) = card(Π) − 1)} Intuitively, this strategy is valid for DEL loss 1 because at each round and for each process, only two cases exist: • Either no message for this process at this round is lost, and it receives a message from every process; • Or one message for this process is lost at this round, and it only receives n − 1 messages.
However, all the other processes receive n messages (because only one can be lost), thus they change round and send their messages for the next round. Since the one loss already happened, all these messages are delivered, and the original process eventually receives n − 1 messages from the next round.
Lemma 8.2 (Validity of f loss ). f loss is valid for DEL loss 1 . Proof. We proceed by contradiction: Assume f loss is invalid for DEL loss 1 . Thus there exists t ∈ execs f loss (DEL loss 1 ) invalid. There is a smallest round r where some process j cannot change round from that point onwards. Let also c be a delivered collection of DEL loss 1 such that t ∈ execs(c). Minimality of r entails that every process reaches round r and thus sends its messages to j, and c ∈ DEL loss 1 entails that at most one of these messages can be lost. Thus j eventually receives n − 1 messages from round r. By hypothesis, it doesn't receive all n messages, or it could change round. Thus j receives exactly n − 1 messages from round r, which means that the only loss allowed by DEL loss 1 happens at round r. For j to block, it must never receive n − 1 messages from round r + 1. Yet the only loss is a message to j; thus every other process receives n messages at round r, changes round, and sends its message to j without loss. Hence j eventually receives n − 1 messages from round r + 1. This contradicts the fact that j cannot change round at this point in t.
This strategy also ensures that at most one process per round receives only n−1 messages on time -the others must receive all the messages. This vindicates the value of messages from future rounds for some delivered predicates, such as the ones with asymmetry in them. Proof.
• (⊆) Let ho ∈ HO f loss (DEL loss 1 ) and t ∈ execs f loss (DEL loss 1 ) an execution of f loss generating ho. By definition of the executions of f loss , processes change round only when they received either n messages from the current round, or n − 1 messages from the current round (and n − 1 messages from the next one, but that is irrelevant to the heard-of predicate). Moreover, t is valid by definition, as it generates ho. Let's now assume that at least one process j receives only n − 1 messages on time for some round r in ho. By definition of f loss and validity of t, we deduce that j also received n − 1 messages from round r + 1 while it was at round r. Hence, every other process ended its own round r before j; the only possibility is that they received n messages from round r, because the alternatives require the reception of the message from j at round r + 1. We conclude that for each round, at most one process receives only n − 1 messages on time, which can be rewritten as ∀r ∈ N * : j∈Π card(Π \ ho(r, j)) ≤ 1.
• (⊇) Let ho a heard-of collection over Π such that ∀r ∈ N * : j∈Π card(Π \ ho(r, j)) ≥ 1. The difficulty here is that the canonical execution of ho fails to be an execution of f loss : when only n − 1 messages from the current round are delivered to some process j, then the corresponding next j for this round will not be allowed by f loss . One way to deal with this issue is to start from the canonical execution of ho and move these incriminating next j after the deliveries of n − 1 messages from the next round, and before the deliveries of messages from j in the next round. In this way, every next j will happen when either n messages have been received from the current round, or n − 1 messages from the current round and n − 1 from the next one. We conclude that ho ∈ HO f loss (DEL loss 1 ). Does f loss dominate DEL loss 1 ? It would seem so, but proving it is harder than for f n−F and DEL crash F . The reason is that the common round property of the latter allows the creation of deadlocks where every process is blocked in the same local state, which forces any valid strategy to accept this state. Whereas the whole reason the future serves in DEL loss 1 is because the latter doesn't have this property, and thus the local state of a process constrains the possible local states of other processes. Conjecture 8.4 (Domination of f loss on DEL loss 1 ). f loss is a dominating strategy for DEL loss 1 . This example demonstrates two important points about strategies using the future. First, for some delivered predicates (for example DEL loss 1 ), they dominate conservative strategies. Secondly, because any additional message might influence whether the strategy allows a change of round or not, proof techniques based on standard executions don't work for these strategies.

Conclusion
In this article, we propose a formalization of the heard-of predicate to use when studying a given operational model through the Heard-Of model. This formalization comes with the following methodology: • Extract a delivered predicate from the informal model, either through direct analysis or by building the predicate from simpler building blocks through operations. • Compute a dominating strategy for this delivered predicate, either by direct analysis or by combining dominating strategies for the simpler building blocks. • Compute the heard-of predicate generated by this strategy on this delivered predicate. This result captures the most constrained predicate which can be implemented on top of the initial model. If a round-based algorithm is proved correct on this predicate, its correctness follows on the original model; and if no algorithm exists for a given problem on this predicate, this entails that no round-based algorithm solves the problem on the original model. The obvious follow-up to this research is to tackle strategies which look into the future, and predicates like DEL loss 1 that are useful for such strategies. Doing so will require completely new proof techniques, as the ones presented here implicitly rely on the ability to make only the messages in the past and present rounds matter. A more straightforward extension of this work would be the study of more delivered predicates, both for having more building blocks to use with operations, and to derive more heard-of predicates.